Yesterday a nasty iPhone SMS spoofing hack was detailed by iOS hacker pod2g. Someone with malicious intent could theoretically change the reply-to number in a SMS message without your knowledge. For instance, you could receive a SMS from a number pretending to be your bank. If you replied with a password or other sensitive data, your security would be compromised. The hack also allows for someone to send a completely spoofed message from a random number.

This bug has been on the iPhone for years and is still present in the iOS 6 beta. Apple today released an official statement addressing the issue.

Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS.

So basically Apple is telling everyone to use iMessage, which makes sense. When using SMS, always be cautious of incoming messages. If you don’t know the sender, think twice before replying with any important information.

That’s not true. If they were spoofing the banks number and you replied to it it would go to the BANK. And this is not an iPhone only problem. It can be done with any phone.

Shane Bryson

That’s not true. If they were spoofing the banks number and you replied to it it would go to the BANK. And this is not an iPhone only problem. It can be done with any phone.

You have obviously not read all of the previous articles on this. It IS an iPhone only problem. It’s a problem with how the OS handles SMS. And if they are spoofing the banks number, no it doesn’t go to the bank, it goes to who ever is spoofing the number. Do you even understand what “spoofing” means?

trrosen

Shane your the one not paying attention. Ndavid is correct. What shows as the reply to address is the reply to address. That is where the reply is sent period . There is no danger that your reply would go to someone else. The mechanism to exploit this is to include a link in the text directing them to somewhere else. Spoofing the reply to is just to make it look authentic and to hide the senders identity.Proper procedures negate this threat you should never use a sent link, SMS or email to make a secured contact. Always go to the site manually.The truth is yes this is just a weakness in the protocol. Saying the iPhone has a bug because it allows programmatic access to the protocol is obfuscating the issue. Any phone or computer can be set up to send such a text. There are even web services to do such things. Simply put SMS is just not a secure protocol and never was intended to be. You know we went a hundred years with out caller ID. We knew not to simply trust the the person on the other was who they said they were. The bug here is people have delegated common sense to their technology.

Jdsonice

OK I am sorry if this is a stupid question.

How does one use iMessage on an iPhone or iPad?

Thank You

Gkpm

You have obviously not read all of the previous articles on this. It IS an iPhone only problem. It’s a problem with how the OS handles SMS. And if they are spoofing the banks number, no it doesn’t go to the bank, it goes to who ever is spoofing the number. Do you even understand what “spoofing” means?

It’s you who doesn’t understand it.

It’s the From number that’s shown, kind of like a spoofed e-mail message. If you reply to it it goes to the spoofed number.

concentrateddon

That’s not true. If they were spoofing the banks number and you replied to it it would go to the BANK. And this is not an iPhone only problem. It can be done with any phone.

You have obviously not read all of the previous articles on this. It IS an iPhone only problem. It’s a problem with how the OS handles SMS. And if they are spoofing the banks number, no it doesn’t go to the bank, it goes to who ever is spoofing the number. Do you even understand what “spoofing” means?

No, it is not an “iPhone only” problem. It is an iPhone problem to be sure – the practice should be to show the “reply to” number or name, or to visually indicate that there’s a different one than the “from” number or name, but the iPhone isn’t the only device on the planet which does so. Many feature phones exhibit the same behavior. It’s ultimately a problem with SMS that could be mitigated by a better device-side presentation.

Gkpm

No, it is not an “iPhone only” problem. It is an iPhone problem to be sure – the practice should be to show the “reply to” number or name, or to visually indicate that there’s a different one than the “from” number or name, but the iPhone isn’t the only device on the planet which does so. Many feature phones exhibit the same behavior. It’s ultimately a problem with SMS that could be mitigated by a better device-side presentation.

Showing the two numbers wouldn’t help much because things like banks always send a different number anyway. They never give you their real number.

assyrianpride

I wonder if anyone noticed the subliminal advertising for Apple: use iMessage, which means u need an Apple device

Shane Bryson

I wonder if anyone noticed the subliminal advertising for Apple: use iMessage, which means u need an Apple device

That’s the point of the entire article. Haha.

thegraphicmac

Apple to John Q. Public: If your car breaks down, simply fire up the jet and fly there instead.

Honestly, sometimes Apple needs to just not respond.

Tallest_Skil

Apple to John Q. Public: If your car breaks down, simply fire up the jet and fly there instead.Honestly, sometimes Apple needs to just not respond.

Yes, because Apple can certainly do ANYTHING about this given that it’s an inherent flaw in the SMS protocol itself…

John Neumann

OK I am sorry if this is a stupid question. How does one use iMessage on an iPhone or iPad? Thank You

I wonder if anyone noticed the subliminal advertising for Apple: use iMessage, which means u need an Apple device

This is the most stupid thing I have ever read.

Apple are giving iPhone users advice on how to avoid SMS spoofing, and you think they might need an Apple device? YOU’RE A GENIUS.

About the author

Alex Heath is a journalist and co-host of The CultCast who lives in Lexington, Kentucky . He has been quoted by the likes of the BBC, KRON 4 News, and books like "ICONIC: A Photographic Tribute to Apple Innovation." If you want to pitch a story, share a tip, or just get in touch, additional contact information is available on his personal site. Twitter always works too.

(sorry, you need Javascript to see this e-mail address) | Read more posts by Alex Heath.